forked from torvalds/linux
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a new kernel subsystem, NetLabel, to provide explicit packet labeling services (CIPSO, RIPSO, etc.) to LSM developers. NetLabel is designed to work in conjunction with a LSM to intercept and decode security labels on incoming network packets as well as ensure that outgoing network packets are labeled according to the security mechanism employed by the LSM. The NetLabel subsystem is configured through a Generic NETLINK interface described in the header files included in this patch. Signed-off-by: Paul Moore <[email protected]> Signed-off-by: David S. Miller <[email protected]>
- Loading branch information
Showing
12 changed files
with
2,395 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# | ||
# NetLabel configuration | ||
# | ||
|
||
config NETLABEL | ||
bool "NetLabel subsystem support" | ||
depends on NET && SECURITY | ||
default n | ||
---help--- | ||
NetLabel provides support for explicit network packet labeling | ||
protocols such as CIPSO and RIPSO. For more information see | ||
Documentation/netlabel. | ||
|
||
If you are unsure, say N. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# | ||
# Makefile for the NetLabel subsystem. | ||
# | ||
# Feb 9, 2006, Paul Moore <[email protected]> | ||
# | ||
|
||
# base objects | ||
obj-y := netlabel_user.o netlabel_kapi.o netlabel_domainhash.o | ||
|
||
# management objects | ||
obj-y += netlabel_mgmt.o | ||
|
||
# protocol modules | ||
obj-y += netlabel_unlabeled.o | ||
obj-y += netlabel_cipso_v4.o | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,217 @@ | ||
/* | ||
* NetLabel CIPSO/IPv4 Support | ||
* | ||
* This file defines the CIPSO/IPv4 functions for the NetLabel system. The | ||
* NetLabel system manages static and dynamic label mappings for network | ||
* protocols such as CIPSO and RIPSO. | ||
* | ||
* Author: Paul Moore <[email protected]> | ||
* | ||
*/ | ||
|
||
/* | ||
* (c) Copyright Hewlett-Packard Development Company, L.P., 2006 | ||
* | ||
* This program is free software; you can redistribute it and/or modify | ||
* it under the terms of the GNU General Public License as published by | ||
* the Free Software Foundation; either version 2 of the License, or | ||
* (at your option) any later version. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See | ||
* the GNU General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU General Public License | ||
* along with this program; if not, write to the Free Software | ||
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | ||
* | ||
*/ | ||
|
||
#ifndef _NETLABEL_CIPSO_V4 | ||
#define _NETLABEL_CIPSO_V4 | ||
|
||
#include <net/netlabel.h> | ||
|
||
/* | ||
* The following NetLabel payloads are supported by the CIPSO subsystem, all | ||
* of which are preceeded by the nlmsghdr struct. | ||
* | ||
* o ACK: | ||
* Sent by the kernel in response to an applications message, applications | ||
* should never send this message. | ||
* | ||
* +----------------------+-----------------------+ | ||
* | seq number (32 bits) | return code (32 bits) | | ||
* +----------------------+-----------------------+ | ||
* | ||
* seq number: the sequence number of the original message, taken from the | ||
* nlmsghdr structure | ||
* return code: return value, based on errno values | ||
* | ||
* o ADD: | ||
* Sent by an application to add a new DOI mapping table, after completion | ||
* of the task the kernel should ACK this message. | ||
* | ||
* +---------------+--------------------+---------------------+ | ||
* | DOI (32 bits) | map type (32 bits) | tag count (32 bits) | ... | ||
* +---------------+--------------------+---------------------+ | ||
* | ||
* +-----------------+ | ||
* | tag #X (8 bits) | ... repeated | ||
* +-----------------+ | ||
* | ||
* +-------------- ---- --- -- - | ||
* | mapping data | ||
* +-------------- ---- --- -- - | ||
* | ||
* DOI: the DOI value | ||
* map type: the mapping table type (defined in the cipso_ipv4.h header | ||
* as CIPSO_V4_MAP_*) | ||
* tag count: the number of tags, must be greater than zero | ||
* tag: the CIPSO tag for the DOI, tags listed first are given | ||
* higher priorirty when sending packets | ||
* mapping data: specific to the map type (see below) | ||
* | ||
* CIPSO_V4_MAP_STD | ||
* | ||
* +------------------+-----------------------+----------------------+ | ||
* | levels (32 bits) | max l level (32 bits) | max r level (8 bits) | ... | ||
* +------------------+-----------------------+----------------------+ | ||
* | ||
* +----------------------+---------------------+---------------------+ | ||
* | categories (32 bits) | max l cat (32 bits) | max r cat (16 bits) | ... | ||
* +----------------------+---------------------+---------------------+ | ||
* | ||
* +--------------------------+-------------------------+ | ||
* | local level #X (32 bits) | CIPSO level #X (8 bits) | ... repeated | ||
* +--------------------------+-------------------------+ | ||
* | ||
* +-----------------------------+-----------------------------+ | ||
* | local category #X (32 bits) | CIPSO category #X (16 bits) | ... repeated | ||
* +-----------------------------+-----------------------------+ | ||
* | ||
* levels: the number of level mappings | ||
* max l level: the highest local level | ||
* max r level: the highest remote/CIPSO level | ||
* categories: the number of category mappings | ||
* max l cat: the highest local category | ||
* max r cat: the highest remote/CIPSO category | ||
* local level: the local part of a level mapping | ||
* CIPSO level: the remote/CIPSO part of a level mapping | ||
* local category: the local part of a category mapping | ||
* CIPSO category: the remote/CIPSO part of a category mapping | ||
* | ||
* CIPSO_V4_MAP_PASS | ||
* | ||
* No mapping data is needed for this map type. | ||
* | ||
* o REMOVE: | ||
* Sent by an application to remove a specific DOI mapping table from the | ||
* CIPSO V4 system. The kernel should ACK this message. | ||
* | ||
* +---------------+ | ||
* | DOI (32 bits) | | ||
* +---------------+ | ||
* | ||
* DOI: the DOI value | ||
* | ||
* o LIST: | ||
* Sent by an application to list the details of a DOI definition. The | ||
* kernel should send an ACK on error or a response as indicated below. The | ||
* application generated message format is shown below. | ||
* | ||
* +---------------+ | ||
* | DOI (32 bits) | | ||
* +---------------+ | ||
* | ||
* DOI: the DOI value | ||
* | ||
* The valid response message format depends on the type of the DOI mapping, | ||
* the known formats are shown below. | ||
* | ||
* +--------------------+ | ||
* | map type (32 bits) | ... | ||
* +--------------------+ | ||
* | ||
* map type: the DOI mapping table type (defined in the cipso_ipv4.h | ||
* header as CIPSO_V4_MAP_*) | ||
* | ||
* (map type == CIPSO_V4_MAP_STD) | ||
* | ||
* +----------------+------------------+----------------------+ | ||
* | tags (32 bits) | levels (32 bits) | categories (32 bits) | ... | ||
* +----------------+------------------+----------------------+ | ||
* | ||
* +-----------------+ | ||
* | tag #X (8 bits) | ... repeated | ||
* +-----------------+ | ||
* | ||
* +--------------------------+-------------------------+ | ||
* | local level #X (32 bits) | CIPSO level #X (8 bits) | ... repeated | ||
* +--------------------------+-------------------------+ | ||
* | ||
* +-----------------------------+-----------------------------+ | ||
* | local category #X (32 bits) | CIPSO category #X (16 bits) | ... repeated | ||
* +-----------------------------+-----------------------------+ | ||
* | ||
* tags: the number of CIPSO tag types | ||
* levels: the number of level mappings | ||
* categories: the number of category mappings | ||
* tag: the tag number, tags listed first are given higher | ||
* priority when sending packets | ||
* local level: the local part of a level mapping | ||
* CIPSO level: the remote/CIPSO part of a level mapping | ||
* local category: the local part of a category mapping | ||
* CIPSO category: the remote/CIPSO part of a category mapping | ||
* | ||
* (map type == CIPSO_V4_MAP_PASS) | ||
* | ||
* +----------------+ | ||
* | tags (32 bits) | ... | ||
* +----------------+ | ||
* | ||
* +-----------------+ | ||
* | tag #X (8 bits) | ... repeated | ||
* +-----------------+ | ||
* | ||
* tags: the number of CIPSO tag types | ||
* tag: the tag number, tags listed first are given higher | ||
* priority when sending packets | ||
* | ||
* o LISTALL: | ||
* This message is sent by an application to list the valid DOIs on the | ||
* system. There is no payload and the kernel should respond with an ACK | ||
* or the following message. | ||
* | ||
* +---------------------+------------------+-----------------------+ | ||
* | DOI count (32 bits) | DOI #X (32 bits) | map type #X (32 bits) | | ||
* +---------------------+------------------+-----------------------+ | ||
* | ||
* +-----------------------+ | ||
* | map type #X (32 bits) | ... | ||
* +-----------------------+ | ||
* | ||
* DOI count: the number of DOIs | ||
* DOI: the DOI value | ||
* map type: the DOI mapping table type (defined in the cipso_ipv4.h | ||
* header as CIPSO_V4_MAP_*) | ||
* | ||
*/ | ||
|
||
/* NetLabel CIPSOv4 commands */ | ||
enum { | ||
NLBL_CIPSOV4_C_UNSPEC, | ||
NLBL_CIPSOV4_C_ACK, | ||
NLBL_CIPSOV4_C_ADD, | ||
NLBL_CIPSOV4_C_REMOVE, | ||
NLBL_CIPSOV4_C_LIST, | ||
NLBL_CIPSOV4_C_LISTALL, | ||
__NLBL_CIPSOV4_C_MAX, | ||
}; | ||
#define NLBL_CIPSOV4_C_MAX (__NLBL_CIPSOV4_C_MAX - 1) | ||
|
||
/* NetLabel protocol functions */ | ||
int netlbl_cipsov4_genl_init(void); | ||
|
||
#endif |
Oops, something went wrong.